'\" te
.\"  Copyright 1989 AT&T Copyright (c) 2002, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH SHADOW 5 "Feb 25, 2017"
.SH NAME
shadow \- shadow password file
.SH DESCRIPTION
.LP
\fB/etc/shadow\fR is an access-restricted ASCII system file that stores users'
encrypted passwords and related information. The shadow file can be used in
conjunction with other shadow sources, including the \fBNIS\fR maps
\fBpasswd.byname\fR and \fBpasswd.byuid\fR.
Programs use the \fBgetspnam\fR(3C) routines to access this information.
.sp
.LP
The fields for each user entry are separated by colons. Each user is separated
from the next by a newline. Unlike the \fB/etc/passwd\fR file,
\fB/etc/shadow\fR does not have general read permission.
.sp
.LP
Each entry in the shadow file has the form:
.sp
.in +2
.nf
\fIusername\fR:\fIpassword\fR:\fIlastchg\fR:\fImin\fR:\fImax\fR:\fIwarn\fR:\fIinactive\fR:\fIexpire\fR:\fIflag\fR
.fi
.in -2

.sp
.LP
The fields are defined as follows:
.sp
.ne 2
.na
\fB\fIusername\fR\fR
.ad
.RS 12n
The user's login name (UID).
.RE

.sp
.ne 2
.na
\fB\fIpassword\fR\fR
.ad
.RS 12n
An encrypted password for the user generated by \fBcrypt\fR(3C), a \fIlock\fR
string to indicate that the login is not accessible, or no string, which shows
that there is no password for the login.
.sp
The lock string is defined as \fB*LK*\fR in the first four characters of the
password field.
.RE

.sp
.ne 2
.na
\fB\fIlastchg\fR\fR
.ad
.RS 12n
The number of days between January 1, 1970, and the date that the password was
last modified. The \fIlastchg\fR value is a decimal number, as interpreted by
\fBstrtol\fR(3C).
.RE

.sp
.ne 2
.na
\fB\fImin\fR\fR
.ad
.RS 12n
The minimum number of days required between password changes. This field must
be set to 0 or above to enable password aging.
.RE

.sp
.ne 2
.na
\fB\fImax\fR\fR
.ad
.RS 12n
The maximum number of days the password is valid.
.RE

.sp
.ne 2
.na
\fB\fIwarn\fR\fR
.ad
.RS 12n
The number of days before password expires that the user is warned.
.RE

.sp
.ne 2
.na
\fB\fIinactive\fR\fR
.ad
.RS 12n
The number of days of inactivity allowed for that user. This is counted on a
per-machine basis; the information about the last login is taken from the
machine's \fBlastlog\fR file.
.RE

.sp
.ne 2
.na
\fB\fIexpire\fR\fR
.ad
.RS 12n
An absolute date expressed as the number of days since the Unix Epoch (January
1, 1970). When this number is reached the login can no longer be used. For
example, an \fIexpire\fR value of \fB13514\fR specifies a login expiration of
January 1, 2007.
.RE

.sp
.ne 2
.na
\fB\fIflag\fR\fR
.ad
.RS 12n
Failed login count in low order four bits; remainder reserved for future use,
set to zero.
.RE

.sp
.LP
A value of \fB-1\fR for \fImin\fR, \fImax\fR, or \fIwarn\fR disables password
aging.
.sp
.LP
The encrypted password consists of at most \fBCRYPT_MAXCIPHERTEXTLEN\fR
characters chosen from a 64-character alphabet (\fB\&.\fR, \fB/\fR,
\fB0\(mi9\fR, \fBA\(miZ\fR, \fBa\(miz\fR). Two additional special characters,
"$" and ",", can also be used and are defined in \fBcrypt\fR(3C). To update
this file, use the \fBpasswd\fR(1), \fBuseradd\fR(8), \fBusermod\fR(8), or
\fBuserdel\fR(8) commands.
.sp
.LP
In order to make system administration manageable, \fB/etc/shadow\fR entries
should appear in exactly the same order as \fB/etc/passwd\fR entries; this
includes ``+'' and ``-'' entries if the \fBcompat\fR source is being used (see
\fBnsswitch.conf\fR(5)).
.sp
.LP
Values for the various time-related fields are interpreted as Greenwich Mean
Time.
.SH FILES
.ne 2
.na
\fB\fB/etc/shadow\fR\fR
.ad
.RS 22n
shadow password file
.RE

.sp
.ne 2
.na
\fB\fB/etc/passwd\fR\fR
.ad
.RS 22n
password file
.RE

.sp
.ne 2
.na
\fB\fB/etc/nsswitch.conf\fR\fR
.ad
.RS 22n
name-service switch configuration file
.RE

.sp
.ne 2
.na
\fB\fB/var/adm/lastlog\fR\fR
.ad
.RS 22n
time of last login
.RE

.SH ATTRIBUTES
.LP
See \fBattributes\fR(7) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
Interface Stability	Stable
.TE

.SH SEE ALSO
.LP
.BR login (1),
.BR passwd (1),
.BR crypt (3C),
.BR crypt_gensalt (3C),
.BR getspnam (3C),
.BR putspent (3C),
.BR strtol (3C),
.BR nsswitch.conf (5),
.BR passwd (5),
.BR attributes (7),
.BR pam_unix_account (7),
.BR pam_unix_auth (7),
.BR useradd (8),
.BR userdel (8),
.BR usermod (8)
.SH NOTES
.LP
If password aging is turned on in any name service the \fIpasswd:\fR line in
the \fB/etc/nsswitch.conf\fR file must have a format specified in the
\fBnsswitch.conf\fR(5) man page.
.sp
.LP
If the \fB/etc/nsswitch.conf\fR passwd policy is not in one of the supported
formats, logins will not be allowed upon password expiration, because the
software does not know how to handle password updates under these conditions.
See \fBnsswitch.conf\fR(5) for additional information.
